Patent application number | Description | Published |
20080235804 | Dynamic Creation and Hierarchical Organization of Trusted Platform Modules - A trusted platform module is presented that is capable of creating, dynamically, multiple virtual trusted platform modules in a hierarchical organization. A trusted platform module domain is created. The trusted platform module creates virtual trusted platform modules, as needed, in the trusted platform module domain. The virtual trusted platform modules can inherit the permissions of a parent trusted platform module to have the ability to create virtual trusted platform modules themselves. Each virtual trusted platform module is associated with a specific partition. Each partition is associated with an individual operating system. The hierarchy of created operating systems and their privilege of spawning new operating systems is reflected in the hierarchy of trusted platform modules and the privileges each of the trusted platform modules has. | 09-25-2008 |
20090006597 | Trust Evaluation - A solution for evaluating trust in a computer infrastructure is provided. In particular, a plurality of computing devices in the computer infrastructure evaluate one or more other computing devices in the computer infrastructure based on a set of device measurements for the other computing device(s) and a set of reference measurements. To this extent, each of the plurality of computing devices also provides a set of device measurements for processing by the other computing device(s) in the computer infrastructure. | 01-01-2009 |
20090006843 | METHOD AND SYSTEM FOR PROVIDING A TRUSTED PLATFORM MODULE IN A HYPERVISOR ENVIRONMENT - A method is presented for implementing a trusted computing environment within a data processing system. A hypervisor is initialized within the data processing system, and the hypervisor supervises a plurality of logical, partitionable, runtime environments within the data processing system. The hypervisor reserves a logical partition for a hypervisor-based trusted platform module (TPM) and presents the hypervisor-based trusted platform module to other logical partitions as a virtual device via a device interface. Each time that the hypervisor creates a logical partition within the data processing system, the hypervisor also instantiates a logical TPM within the reserved partition such that the logical TPM is anchored to the hypervisor-based TPM. The hypervisor manages multiple logical TPM's within the reserved partition such that each logical TPM is uniquely associated with a logical partition. | 01-01-2009 |
20090049305 | METHOD AND SYSTEM FOR HIERARCHICAL PLATFORM BOOT MEASUREMENTS IN A TRUSTED COMPUTING ENVIRONMENT - An architecture for a distributed data processing system comprises a system-level service processor along with one or more node-level service processors; each are uniquely associated with a node, and each is extended to comprise any components that are necessary for operating the nodes as trusted platforms, such as a TPM and a CRTM in accordance with the security model of the Trusted Computing Group. These node-level service processors then inter-operate with the system-level service processor, which also contains any components that are necessary for operating the system as a whole as a trusted platform. A TPM within the system-level service processor aggregates integrity metrics that are gathered by the node-level service processors, thereafter reporting integrity metrics as requested, e.g., to a hypervisor, thereby allowing a large distributed data processing system to be validated as a trusted computing environment while allowing its highly parallelized initialization process to proceed. | 02-19-2009 |
20090063857 | METHOD AND SYSTEM FOR PROVIDING A TRUSTED PLATFORM MODULE IN A HYPERVISOR ENVIRONMENT - A method is presented for implementing a trusted computing environment within a data processing system. A hypervisor is initialized within the data processing system, and the hypervisor supervises a plurality of logical, partitionable, runtime environments within the data processing system. The hypervisor reserves a logical partition for a hypervisor-based trusted platform module (TPM) and presents the hypervisor-based trusted platform module to other logical partitions as a virtual device via a device interface. Each time that the hypervisor creates a logical partition within the data processing system, the hypervisor also instantiates a logical TPM within the reserved partition such that the logical TPM is anchored to the hypervisor-based TPM. The hypervisor manages multiple logical TPM's within the reserved partition such that each logical TPM is uniquely associated with a logical partition. | 03-05-2009 |
20090313470 | Using a Portable Computing Device as a Smart Key Device - A first data processing system, which includes a first cryptographic device, is communicatively coupled with a second data processing system, which includes a second cryptographic device. The cryptographic devices then mutually authenticate themselves. The first cryptographic device stores a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair that is associated with the second data processing system. The second cryptographic device stores a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair that is associated with the first data processing system. In response to successfully performing the mutual authentication operation between the two cryptographic systems, the first data processing system is enabled to invoke sensitive cryptographic functions on the first cryptographic device while the first data processing system remains communicatively coupled with the second data processing system. | 12-17-2009 |
20090327763 | Method for Using a Compact Disk as a Smart Key Device - A data processing method accepts a removable storage media, which becomes electrically engaged with a system unit within the data processing system, after which the removable storage media and the hardware security unit mutually authenticate themselves. The removable storage media stores a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair that is associated with the hardware security unit, and the hardware security unit stores a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair that is associated with the removable storage media. In response to successfully performing the mutual authentication operation between the removable storage media and the hardware security unit, the system unit is enabled to invoke cryptographic functions on the hardware security unit while the removable storage media remains engaged with the system unit. | 12-31-2009 |
20100042823 | Method, Apparatus, and Product for Providing a Scalable Trusted Platform Module in a Hypervisor Environment - A method, apparatus, and computer program product are described for implementing a trusted computing environment within a data processing system where the data processing system includes a single hardware trusted platform module (TPM). Multiple logical partitions are provided in the data processing system. A unique context is generated for each one of the logical partitions. When one of the logical partitions requires access to the hardware TPM, that partition's context is required to be stored in the hardware TPM. The hardware TPM includes a finite number of storage locations, called context slots, for storing contexts. Each context slot can store one partition's context. Each one of the partitions is associated with one of the limited number of context storage slots in the hardware TPM. At least one of the context slots is simultaneously associated with more than one of the logical partitions. Contexts are swapped into and out of the hardware TPM during runtime of the data processing system so that when ones of the partitions require access to the hardware TPM, their required contexts are currently stored in the hardware TPM. | 02-18-2010 |
20100070781 | METHOD AND SYSTEM FOR BOOTSTRAPPING A TRUSTED SERVER HAVING REDUNDANT TRUSTED PLATFORM MODULES - Multiple trusted platform modules within a data processing system are used in a redundant manner that provides a reliable mechanism for securely storing secret data at rest that is used to bootstrap a system trusted platform module. A hypervisor requests each trusted platform module to encrypt a copy of the secret data, thereby generating multiple versions of encrypted secret data values, which are then stored within a non-volatile memory within the trusted platform. At some later point in time, the encrypted secret data values are retrieved, decrypted by the trusted platform module that performed the previous encryption, and then compared to each other. If any of the decrypted values do not match a quorum of values from the comparison operation, then a corresponding trusted platform module for a non-matching decrypted value is designated as defective because it has not been able to correctly decrypt a value that it previously encrypted. | 03-18-2010 |
20130054780 | Monitoring Geographic Location Changes of Assets in a Cloud - Despite the best intentions of a cloud service provider, digital assets of may be moved to a geographic location that deviates from a geographic preference, policy, or setting of the owner of the digital assets. A monitoring tool can monitor network location of a digital asset hosted by a cloud service provider. Movement of the digital asset from a first network location to a second network location is detected. In response to detecting that the digital asset moves, a geographic location that corresponds to the second network location is determined. It is then determined that the geographic location deviates from a geographic setting configured for the digital asset. A notification that the digital asset has been moved to the geographic location that deviates from the geographic setting is generated. | 02-28-2013 |
20130086383 | VIRTUAL MACHINE IMAGES ENCRYPTION USING TRUSTED COMPUTING GROUP SEALING - A host machine provisions a virtual machine from a catalog of stock virtual machines. The host machine instantiates the virtual machine. The host machine configures the virtual machine, based on customer inputs, to form a customer's configured virtual machine. The host machine creates an image from the customer's configured virtual machine. The host machine unwraps a sealed customer's symmetric key to form a customer's symmetric key. The host machine encrypts the customer's configured virtual machine with the customer's symmetric key to form an encrypted configured virtual machine. The host machine stores the encrypted configured virtual machine to non-volatile storage. | 04-04-2013 |
20130238789 | MONITORING GEOGRAPHIC LOCATION CHANGES OF ASSETS IN A CLOUD - A monitoring tool can monitor network location of a digital asset hosted by a cloud service provider. Movement of the digital asset from a first network location to a second network location is detected. In response to detecting that the digital asset moves, a geographic location that corresponds to the second network location is determined. It is then determined that the geographic location deviates from a geographic setting configured for the digital asset. A notification that the digital asset has been moved to the geographic location that deviates from the geographic setting is generated. | 09-12-2013 |
20150067761 | MANAGING SECURITY AND COMPLIANCE OF VOLATILE SYSTEMS - An inventory manager optimizes the security and maintenance of a plurality of virtual machines and their workloads in a cloud environment and has: an inventory database, a workload compliance history of scanning workloads database, and a workload category database including security rules and compliance policies relating to workload category in a repository. The inventory manager identifies changes to characteristics of the workload of the plurality of virtual machines; alters the inventory database stored in the repository and maintained by the inventory manager, based on the identified changes to the characteristics of the workload of the plurality of virtual machines; and initiates security rules and compliance policies of the workload category database based on the identified changes to the characteristics of the workload of the plurality of virtual machines through a security tools program. | 03-05-2015 |